10 July 2008

There's been a lot of attention paid recently to the issue of
laptop
searches at borders, including a
congressional
hearing and a
New York
Times editorial.
I've seen
articles
with advice on how to protect your data under such circumstances;
generally speaking, the advice boils down to "delete what you can, encrypt
the rest, hope that Customs officials don't compel production of your key,
and securely clean up the deleted files". If you need sensitive information
while you're traveling, the usual suggestion is to download it over
a secure connection, per the
EFF:

Another option is to bring a clean laptop and get the information
you need over the internet once you arrive at your destination,
send your work product back, and then delete the data before
returning to the United States. Historically, the Foreign
Intelligence Surveillance Act (FISA) generally prohibited
warrantless interception of this information exchange. However,
the Protect America Act amended FISA so that surveillance of
people reasonably believed to be located outside the United States
no longer requires a warrant. Your email or telnet session can now
be intercepted without a warrant. If all you are concerned about
is keeping border agents from rummaging through your revealing
vacation photos, you may not care. If you are dealing with trade
secrets or confidential client data, an encrypted VPN is a better
solution.

But is it?

When a laptop is searched, the customs agents are not looking for drugs
embedded in the batteries or for whether or not the connectors have too much
gold on the contacts. Rather, they're looking for
information.

In that sense, it would seem to make little difference if the information
is "imported" into the US via a physical laptop or via a VPN, or for that
matter by a web connection. The right to search a laptop for information,
then, is equivalent to the right to tap any and all international
connections, without a warrant or probable cause. (More precisely,
one always has a constitutional protection against "unreasonable" search
and seizure; the issue is what the definition of "unreasonable" is.)

According to
an
analysis
of the
revisions
to FISA,
"the bill affirmatively permits electronic
surveillance without any warrant for
Americans' international communications when the NSA is "targeting" a
foreigner or group abroad."
By contrast, a border search targets a particular individual entering
the country, rather than some foreign group. But if warrantless searches
for information are legal, does this provide a non-statutory extension
to FISA, a way to justify warrantless wiretapping beyond what FISA already
permits?

It gets worse. In general, one has no right to hide contraband from
customs agents when crossing the border. Is hiding imported information
— that is to say, using an encrypted international
connection — improper? Put another way, is using encryption
on an international connection the equivalent of hiding physical objects
in a false-bottomed suitcase?
If so, it is saying that the government
must have access to all keys, a notion that was quite thoroughly
discredited (and rejected
by the American public) during the debate over the
Clipper chip
in the 1990s.

What about a court order compelling disclosure of a key or passphrase?
The legal situation is quite unclear. In
in re
Boucher,
a judge ruled that the Fifth Amendment protection against
self-incrimination could be used to deflect a request for a passphrase.
While the judge's reasoning
is suspect
based on the facts of this particular case, his reasoning
struck me as sound. Also note that Boucher was a criminal case; the
situation in a civil case is more less clear, since the protection
against self-incrimination would not apply.

There's one more philosophical point to consider. Restricting
the public's
access to "foreign"
information is antithetical to the basic principles of the First
Amendment, and of Freedom of Thought. Trying to restrict access to
information in this way is the moral equivalent of the practice of denying
visitor visas to Communists (imagined or real) during the 1950s.

Perhaps I'm carrying my arguments too far. Perhaps the slope isn't as
slippery as I've portrayed it, though
Kerr
seems to agree that the Constitution would permit warrantless
searches of international connections.
At the least, we need a clear
statement of what the rules are for government access to imported
information, whether carried in physically or electronically.